Date   

Re: [spdx] Specific SPDX identifier question I didn't see addressed in the specification

Warner Losh
 



On Wed, Jul 6, 2022 at 5:48 AM McCoy Smith <mccoy@...> wrote:

No, that’s not really my issue. I believe the logical operators and the ability to designate file-level licenses in SPDX handle your situation.

I’m talking about using SPDX to provide a copy of the terms of a license which don’t apply, but which nevertheless must be provided per the license itself. As is required in BSD/MIT/Apache (as well as copyleft licenses, but that’s really not applicable to my circumstances since copyleft requires the license terms be provided, *and* be applied)


What makes you think they don't apply? If you have to reproduce the notice, the terms apply. You can't just take code and change the license without the permission of the copyright holders/owners/etc. As an author of BSD code, I for one would strongly and strenuously object to this sort of thing were it done to my code. Either you used enough code that the terms apply (you created a derived work and have to comply) or you didn't (you created a new enough work the terms do not apply and you don't need to comply). If it applies, it is an AND. If it doesn't apply, I'd say it's outside the scope of SPDX. There is no "provide the notice but doesn't comply" option that I'm aware of in copyright law.

So, I don't think legally there's this halfway thing that you are suggesting, but I'm going to let others on the list opine about that as I'm not an attorney. I've just been doing this for the last 30 years and have been FreeBSD's licensing expert for much of that time.

Warner 

 

From: spdx@... <spdx@...> On Behalf Of Shawn Clark
Sent: Tuesday, July 5, 2022 10:48 AM
To: spdx@...
Cc: SPDX-legal <spdx-legal@...>
Subject: Re: [spdx] Specific SPDX identifier question I didn't see addressed in the specification

 

I have spent a lot of time contemplating the question, but want to confirm I'm thinking about the same thing:

 

Are you talking about the nature of open source requiring (such as in a requirements.txt) other open source code/components that ultimately mean the terms of several licenses would apply to the top level software package (such as the total python package)? And how to include those identifiers in spdx, either as a requirement of the open source license, or as a pass-through of a license (such as lgpl/gpl)?

 

I have thoughts on the topic but wanted to confirm before I ramble on about it 😁 I may be off the rails here.

 

Cheers!

-Shawn Clark

Michigan Attorney, P79081

 

 

 

 

On Fri, Jul 1, 2022, 4:17 PM McCoy Smith <mccoy@...> wrote:

Well the example is the reverse: inbound BSD-2-Clause, outbound MIT.

I’m more thinking license identifiers that go with the code (since I think for most folks that’s where they do license attribution/license copy requirements).

But obviously the issue/problem is more generic given that some permissive licenses allow the notice to be in either (or in some cases require in both) the source or documentation.

 

From: spdx@... <spdx@...> On Behalf Of J Lovejoy
Sent: Friday, July 1, 2022 1:11 PM
To: SPDX-legal <spdx-legal@...>
Subject: Re: [spdx] Specific SPDX identifier question I didn't see addressed in the specification

 

Hi McCoy!

 

I’m moving the SPDX-general list to BCC and replying to SPDX-legal as that is the right place for this discussion.

 

Where is this question coming up in terms of context? That is, are you thinking in the context of an SPDX document and capturing  the licensing info for a file that is under MIT originally but then redistributed under BSD-2-Clause? Or are you thinking in the context of using an SPDX license identifiers in the source files?

 

Thanks,

Jilayne

 

On Jul 1, 2022, at 12:01 PM, McCoy Smith <mccoy@...> wrote:

 

I didn’t see this particular topic addressed in the specification (although I’m happy to be correcedt if I missed it), so I thought I’d post and see whether there is a solution that’s commonly used, or if there’s room for a new identifier.

 

Virtually all so-called “permissive” licenses permit the recipient of code to license out under different terms, as long as all the requirements of the in-bound license are met. In almost all of these permissive licenses those requirement boil down to:

  1. Preserve all existing IP notices (or in some cases, just copyright notices)
  2. Provide a copy of the license (or something to that effect: retaining “this permission notice” (ICU/Unicode/MIT)  or “this list of conditions” (BSD) or providing “a copy of this License” (Apache 2.0))

 

The rules around element 1 and SPDX are well-described.

With regard to element 2, a fully-compliant but informative notice when there is a change from the in-bound to the out-bound license would look something like this (with the square bracketed part being an example of a way to say this):

 

SPDX-License-Identifier: MIT

[This file/package/project contains code originally licensed under:]

SPDX-License-Identifier: BSD-2-Clause

 

The point being to express that the outbound license is MIT, but in order to fully comply with the requirements of BSD-2-Clause, one must retain “ this list of conditions and the following disclaimer” which including a copy of BSD-2-Clause accomplishes. Without the square bracketed statement above, it seems confusing as to what the license is (or whether, for example, the code is dual-licensed MIT AND BSD-2-Clause.


One way to do this I suppose is to use the LicenseComment: field to include this information, but it seems to me that this is enough of a common situation that there ought to be something more specific to address this situation.

 

Thoughts? Am I missing something?

 


Re: [spdx] Specific SPDX identifier question I didn't see addressed in the specification

Shawn Clark
 

I have spent a lot of time contemplating the question, but want to confirm I'm thinking about the same thing:

Are you talking about the nature of open source requiring (such as in a requirements.txt) other open source code/components that ultimately mean the terms of several licenses would apply to the top level software package (such as the total python package)? And how to include those identifiers in spdx, either as a requirement of the open source license, or as a pass-through of a license (such as lgpl/gpl)?

I have thoughts on the topic but wanted to confirm before I ramble on about it 😁 I may be off the rails here.

Cheers!
-Shawn Clark
Michigan Attorney, P79081




On Fri, Jul 1, 2022, 4:17 PM McCoy Smith <mccoy@...> wrote:

Well the example is the reverse: inbound BSD-2-Clause, outbound MIT.

I’m more thinking license identifiers that go with the code (since I think for most folks that’s where they do license attribution/license copy requirements).

But obviously the issue/problem is more generic given that some permissive licenses allow the notice to be in either (or in some cases require in both) the source or documentation.

 

From: spdx@... <spdx@...> On Behalf Of J Lovejoy
Sent: Friday, July 1, 2022 1:11 PM
To: SPDX-legal <spdx-legal@...>
Subject: Re: [spdx] Specific SPDX identifier question I didn't see addressed in the specification

 

Hi McCoy!

 

I’m moving the SPDX-general list to BCC and replying to SPDX-legal as that is the right place for this discussion.

 

Where is this question coming up in terms of context? That is, are you thinking in the context of an SPDX document and capturing  the licensing info for a file that is under MIT originally but then redistributed under BSD-2-Clause? Or are you thinking in the context of using an SPDX license identifiers in the source files?

 

Thanks,

Jilayne



On Jul 1, 2022, at 12:01 PM, McCoy Smith <mccoy@...> wrote:

 

I didn’t see this particular topic addressed in the specification (although I’m happy to be correcedt if I missed it), so I thought I’d post and see whether there is a solution that’s commonly used, or if there’s room for a new identifier.

 

Virtually all so-called “permissive” licenses permit the recipient of code to license out under different terms, as long as all the requirements of the in-bound license are met. In almost all of these permissive licenses those requirement boil down to:

  1. Preserve all existing IP notices (or in some cases, just copyright notices)
  2. Provide a copy of the license (or something to that effect: retaining “this permission notice” (ICU/Unicode/MIT)  or “this list of conditions” (BSD) or providing “a copy of this License” (Apache 2.0))

 

The rules around element 1 and SPDX are well-described.

With regard to element 2, a fully-compliant but informative notice when there is a change from the in-bound to the out-bound license would look something like this (with the square bracketed part being an example of a way to say this):

 

SPDX-License-Identifier: MIT

[This file/package/project contains code originally licensed under:]

SPDX-License-Identifier: BSD-2-Clause

 

The point being to express that the outbound license is MIT, but in order to fully comply with the requirements of BSD-2-Clause, one must retain “ this list of conditions and the following disclaimer” which including a copy of BSD-2-Clause accomplishes. Without the square bracketed statement above, it seems confusing as to what the license is (or whether, for example, the code is dual-licensed MIT AND BSD-2-Clause.


One way to do this I suppose is to use the LicenseComment: field to include this information, but it seems to me that this is enough of a common situation that there ought to be something more specific to address this situation.

 

Thoughts? Am I missing something?

 


Re: [spdx] Specific SPDX identifier question I didn't see addressed in the specification

Warner Losh
 



On Fri, Jul 1, 2022, 2:17 PM McCoy Smith <mccoy@...> wrote:

Well the example is the reverse: inbound BSD-2-Clause, outbound MIT.

I’m more thinking license identifiers that go with the code (since I think for most folks that’s where they do license attribution/license copy requirements).

But obviously the issue/problem is more generic given that some permissive licenses allow the notice to be in either (or in some cases require in both) the source or documentation.

Are you allowed to do that without it becoming an AND? You can't just change the terms w/o permission like that I'd imagine... And I'm not sure how it would generalize...

Warner


From: spdx@... <spdx@...> On Behalf Of J Lovejoy
Sent: Friday, July 1, 2022 1:11 PM
To: SPDX-legal <spdx-legal@...>
Subject: Re: [spdx] Specific SPDX identifier question I didn't see addressed in the specification

 

Hi McCoy!

 

I’m moving the SPDX-general list to BCC and replying to SPDX-legal as that is the right place for this discussion.

 

Where is this question coming up in terms of context? That is, are you thinking in the context of an SPDX document and capturing  the licensing info for a file that is under MIT originally but then redistributed under BSD-2-Clause? Or are you thinking in the context of using an SPDX license identifiers in the source files?

 

Thanks,

Jilayne



On Jul 1, 2022, at 12:01 PM, McCoy Smith <mccoy@...> wrote:

 

I didn’t see this particular topic addressed in the specification (although I’m happy to be correcedt if I missed it), so I thought I’d post and see whether there is a solution that’s commonly used, or if there’s room for a new identifier.

 

Virtually all so-called “permissive” licenses permit the recipient of code to license out under different terms, as long as all the requirements of the in-bound license are met. In almost all of these permissive licenses those requirement boil down to:

  1. Preserve all existing IP notices (or in some cases, just copyright notices)
  2. Provide a copy of the license (or something to that effect: retaining “this permission notice” (ICU/Unicode/MIT)  or “this list of conditions” (BSD) or providing “a copy of this License” (Apache 2.0))

 

The rules around element 1 and SPDX are well-described.

With regard to element 2, a fully-compliant but informative notice when there is a change from the in-bound to the out-bound license would look something like this (with the square bracketed part being an example of a way to say this):

 

SPDX-License-Identifier: MIT

[This file/package/project contains code originally licensed under:]

SPDX-License-Identifier: BSD-2-Clause

 

The point being to express that the outbound license is MIT, but in order to fully comply with the requirements of BSD-2-Clause, one must retain “ this list of conditions and the following disclaimer” which including a copy of BSD-2-Clause accomplishes. Without the square bracketed statement above, it seems confusing as to what the license is (or whether, for example, the code is dual-licensed MIT AND BSD-2-Clause.


One way to do this I suppose is to use the LicenseComment: field to include this information, but it seems to me that this is enough of a common situation that there ought to be something more specific to address this situation.

 

Thoughts? Am I missing something?

 


Re: [spdx] Specific SPDX identifier question I didn't see addressed in the specification

J Lovejoy
 

Hi McCoy!

I’m moving the SPDX-general list to BCC and replying to SPDX-legal as that is the right place for this discussion.

Where is this question coming up in terms of context? That is, are you thinking in the context of an SPDX document and capturing  the licensing info for a file that is under MIT originally but then redistributed under BSD-2-Clause? Or are you thinking in the context of using an SPDX license identifiers in the source files?

Thanks,
Jilayne

On Jul 1, 2022, at 12:01 PM, McCoy Smith <mccoy@...> wrote:

I didn’t see this particular topic addressed in the specification (although I’m happy to be correcedt if I missed it), so I thought I’d post and see whether there is a solution that’s commonly used, or if there’s room for a new identifier.
 
Virtually all so-called “permissive” licenses permit the recipient of code to license out under different terms, as long as all the requirements of the in-bound license are met. In almost all of these permissive licenses those requirement boil down to:
  1. Preserve all existing IP notices (or in some cases, just copyright notices)
  2. Provide a copy of the license (or something to that effect: retaining “this permission notice” (ICU/Unicode/MIT)  or “this list of conditions” (BSD) or providing “a copy of this License” (Apache 2.0))
 
The rules around element 1 and SPDX are well-described.
With regard to element 2, a fully-compliant but informative notice when there is a change from the in-bound to the out-bound license would look something like this (with the square bracketed part being an example of a way to say this):
 
SPDX-License-Identifier: MIT
[This file/package/project contains code originally licensed under:]
SPDX-License-Identifier: BSD-2-Clause
 
The point being to express that the outbound license is MIT, but in order to fully comply with the requirements of BSD-2-Clause, one must retain “ this list of conditions and the following disclaimer” which including a copy of BSD-2-Clause accomplishes. Without the square bracketed statement above, it seems confusing as to what the license is (or whether, for example, the code is dual-licensed MIT AND BSD-2-Clause.

One way to do this I suppose is to use the LicenseComment: field to include this information, but it seems to me that this is enough of a common situation that there ought to be something more specific to address this situation.
 
Thoughts? Am I missing something?


Reminder - meeting Friday on License Namespaces policy

Steve Winslow
 

Greetings SPDX tech and legal teams,

 

A reminder we are continuing the license namespace policy discussions on this Friday, July 1, 2022, at the same time as the prior meetings (15:00 UTC, 11AM Eastern, 8AM Pacific).

 

https://meet.jit.si/SPDXLegalMeeting

 

We will focus this meeting on finalizing the "policies" for the namespace proposals, continuing the discussions where we left off two weeks ago. Minutes from the prior meeting are in the joint meetings minutes folder at https://github.com/spdx/meetings/blob/main/joint/2022-06-17.md.


Best,

Steve



Joint SPDX Tech / Legal call - namespaces

Gary O'Neall
 

Greetings all,

 

Below is information on the follow-up meetings regarding license namespaces.  Please mark your calendars if you are interested in attending – I will not be sending out any calendar invites.

 

I copied the minutes from our last call to the github repo: https://github.com/spdx/meetings/blob/main/joint/2022-06-17.md.  The policy discussion is captured in this Google doc: https://docs.google.com/document/d/1DU8oDW_DeGEkU8PQLdqp67HGwwTueCzjh02Y6OF1eQQ/edit#heading=h.neu95tojxpgj

 

One of the key decisions from the last meeting is that we will require registered DNS domains for the external license namespaces.

 

There’s still some work on remaining on the policy, so please feel free to continue the discussion through comments and suggestions in the Google Doc before the next meeting.

 

It’s been a bit of a challenge to schedule the follow-up meetings, so we’re going to change the order of the discussions based on availability of those leading the discussions.

 

We’ll have a call limited to the namespace syntax immediately following the tech team call on Tuesday (10:30 AM Pacific Time, 17:30 GMT 28 June 2022) led by Alexios.  Please review the current proposed syntaxes in the GitHub Pull Request: https://github.com/spdx/spdx-spec/pull/681

 

We will have a separate call to complete the policy discussions on Friday at the usual time (8:00 AM Pacific, 15:00 GMT 1 July 2022) led by the legal team (Steve and/or Jilayne).

 

Both meetings will just the JITSI coordinates:

https://meet.jit.si/SPDXLegalMeeting

Dial-in: +1.512.647.1431 PIN: 3275 0470 68#

 

If any policy decisions impact the syntax, we will revisit the syntax after the policy discussion on Friday.

 

Let me know if you have any questions or concerns with the follow-up meetings or agendas.


Thanks,
Gary

 

-------------------------------------------------

Gary O'Neall

Principal Consultant

Source Auditor Inc.

Mobile: 408.805.0586

Email: gary@...

CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.

 


Re: Fun with licenses

Sebastian Crane
 

Dear Karsten,

„the and any this you license software for that not use with may code such agreement other terms under are rights work your all from shall source including copyright provided will without its party conditions must which licensee notice version distribute licensed program licensor means damages copy original have otherwise section liability third subject information distribution warranties contributor product documentation applicable law data granted warranty but purpose limited limitation implied only public following modifications form services non covered works available make above free derivative has copies right patent permission agree file part laws used licence modified modify each extent apply“!

... are the top 100 English words used in license text (as far as the metaeffekt universe goes).
This would make the perfect libretto for a foss-themed opera!

Best wishes,

Sebastian


Re: Fun with licenses

Phil Odence <phil.odence@...>
 

Good one for a Friday afternoon!

 

From: Spdx-legal@... <Spdx-legal@...> on behalf of Karsten Klein <karsten.klein@...>
Date: Friday, June 24, 2022 at 1:22 PM
To: SPDX-legal <Spdx-legal@...>, Spdx-tech@... <Spdx-tech@...>
Subject: Fun with licenses

Hi all,

did you know:

„the and any this you license software for that not use with may code such agreement other terms under are rights work your all from shall source including copyright provided will without its party conditions must which licensee notice version distribute licensed program licensor means damages copy original have otherwise section liability third subject information distribution warranties contributor product documentation applicable law data granted warranty but purpose limited limitation implied only public following modifications form services non covered works available make above free derivative has copies right patent permission agree file part laws used licence modified modify each extent apply“!

... are the top 100 English words used in license text (as far as the metaeffekt universe goes).

We had some fun with the word list today and I felt obliged to share this in the category “fun with licenses”.

I wish you all a pleasant weekend…

Cheers,
Karsten









Fun with licenses

Karsten Klein
 

Hi all,

did you know:

„the and any this you license software for that not use with may code such agreement other terms under are rights work your all from shall source including copyright provided will without its party conditions must which licensee notice version distribute licensed program licensor means damages copy original have otherwise section liability third subject information distribution warranties contributor product documentation applicable law data granted warranty but purpose limited limitation implied only public following modifications form services non covered works available make above free derivative has copies right patent permission agree file part laws used licence modified modify each extent apply“!

... are the top 100 English words used in license text (as far as the metaeffekt universe goes).

We had some fun with the word list today and I felt obliged to share this in the category “fun with licenses”.

I wish you all a pleasant weekend…

Cheers,
Karsten


Re: [spdx-tech] No Namespace proposal meeting today?

Gary O'Neall
 

Hi Sebastian,

Sorry - I've been negligent at sending out the follow-up meeting
information.

I missed the end of last week's call, but I believe it was decided to not
have a call this week due to the Linux conference and several people not
being available.

We're considering a follow-up meeting right after the tech call on Tuesday
focused exclusively on the syntax and possibly another meeting next Friday
continuing the policy discussions.

I'll copy over the minutes to the repo and send a follow-up email later
today or tomorrow.

Best regards,
Gary

-----Original Message-----
From: Spdx-tech@... <Spdx-tech@...> On Behalf Of
Sebastian Crane
Sent: Friday, June 24, 2022 8:08 AM
To: SPDX Technical Mailing List <spdx-tech@...>; SPDX Legal
Mailing List <spdx-legal@...>
Subject: [spdx-tech] No Namespace proposal meeting today?

Dear all,

I thought there was supposed to be a Namespace Proposal meeting at this
time today, but I've joined the video call and there are only a couple of
others
here.

Best wishes,

Sebastian



No Namespace proposal meeting today?

Sebastian Crane
 

Dear all,

I thought there was supposed to be a Namespace Proposal meeting at
this time today, but I've joined the video call and there are only a
couple of others here.

Best wishes,

Sebastian


No legal team meeting June 23

J Lovejoy
 

Hi all,

With a conference going on and end of quarter, we’ll skip our call this week. Please have a look at any open GitHub issues in the meantime!

Jilayne 

Sent from my phone, please excuse brevity and typographical errors. 


Re: License Identification

David Kemp
 

(On a related note, we also support registration of a numeric identifier for each license identifier, as ISO 3166 (https://www.iso.org/obp/ui/#search) assigns both a number and a text ID to each country..  This is for use in efficient non-human-readable data formats such as Protobuf and CBOR.
[JL]  The SPDX License List already provides a machine-readable (text) unique id to each license. Why is that not enough?

For three reasons:
1) efficiency - a 16 bit integer is sufficient to identify 65,000 licenses.  CBOR uses variable-length encoding of integers (major type 0), and even in JSON a number (e.g. 942 - three bytes) is more efficient than a string ("AGPL-3.0-or-later" - nineteen bytes).  When SBOM files climb into the megabyte range, efficiency matters.
2) registration reliability - double-entry bookkeeping was invented to detect errors by enabling independent checks.  Assigning both numeric and string IDs to a license text promotes robustness in the registration process and facilitates anomaly detection.
3) precedent - for the same reason IANA manages ports ("http" = port 80) and status codes (404 = "Not Found"), and the same reason databases use things like numeric primary keys instead of strings.  Numbers are meaningless - nobody is going to claim copyright infringement on the number 279, even though there might be claims by native Americans against strings like "Apache-2.0".  In the off chance that courts force a license ID to be invalidated, the referenceNumber remains a constant identifier that can be mapped to a new string ID.

Regards,
David Kemp


Re: License Identification

David Kemp
 

[DK]:
Using different technical mechanisms to identify source-available licenses and other licenses is not efficient, and we strongly support the use of a single technical mechanism (a deconflicted unified license identifier list) for use in SBOM files.
[JL]: 
I interpret this as meaning you support the concept of having a more “transferable” way to use LicenseRef- as per the original intent of the proposal - that is, a license defined using LicenseRef- is not “limited” to just being identified in that specific SPDX Document. Note, there is also already a way to capture license text for LicenseRef- licenses and link it - this is part of an earlier call and there is a task to improve the explanation of this in the spec because no one was really aware (see previous meeting notes about that)

No, you are mistaken.  I am not looking for a way to use LicenseRef-, because LicenseRef- uses "a different technical mechanism" for different licenses.  Instead of jumping to the technical solution of using LicenseRef, I am looking at the problem LicenseRef- was created to solve and observing that there is a simpler alternative that applies to all licenses registered by a license registration authority.  License registration authorities, of which the SPDX legal team is one, assign license IDs to license texts using processes of their own choosing. The single technical requirement is trivial: IDs cannot be duplicated or re-used - once an ID has been assigned to a text by an authority, the same ID cannot be assigned to a different text.

Regards,
David Kemp

(now subscribed to spdx-legal)


Re: License Identification

J Lovejoy
 

(removing general mailing list and adding spdx-tech)

David, 

A few clarifications below:

Btw, you are not a member of the spdx-legal mailing list, so these emails keep bouncing. Could you please join it, so I don’t have to manage the bounces?  :) 

Thanks!
Jilayne


On Jun 17, 2022, at 11:43 AM, David Kemp <dk190a@...> wrote:

All,

I strongly support Gary's approach of identifying requirements first, then identifying and selecting from technical solutions that meet all requirements.

The requirements are:

* The SPDX legal team must:
  - define criteria for accepting licenses
  - evaluate licenses for conformance with the criteria
  - publish a list of licenses that meet the criteria

To be clear - this is already well-established as what the SPDX legal team already does for the SPDX License List. 
This is NOT part of the current proposal we’ve been discussing the last 3 Fridays b/c it doesn’t need to be. Please familiarize yourself with the explanation and links at the top of the license list page https://spdx.org/licenses/ in contrast to the section in the SPDX Spec regarding “Other License Info” and the use of LicenseRef- here: https://spdx.github.io/spdx-spec/other-licensing-information-detected/

The “namespace” proposal builds upon the LicenseRef option. 


* The SPDX technical team must:
  - define SBOM data formats that unambiguously identify licenses applicable to all software of interest in the cybersecurity domain.

I’m not sure that is entirely accurate. How licenses are identified is the domain of the SPDX legal team, although I recognize that “identify” is broad and we may be thinking of that in different ways.
And identifying licenses is certainly of interest to more than the cybersecurity domain.


Today's discussion presupposes a technical solution, e.g., using namespaces, tying namespaces to DNS names, resolving IP issues related to licenses and namespaces, etc.  Other technical solutions that avoid namespaces are on the table and have not yet been discussed.

Let’s keep in mind (because I fear it gets lost and that may contribute to why we’ve been talking about this proposal for… years!) the high-level goal of the proposal which is to create a standard way to use LicenseRef- such that a License-Ref can be used to refer to a specific license outside the context of an SPDX Document, by using a ’namespace’ along with LicenseRef-. 
The original intent was in the context of licenses that don’t meet the SPDX License Inclusion principles (which by the way, have been revised and softened since this discussion began). 

* Software licenses that apply only to executables and do not provide for the availability of the source code will not be included on the SPDX License List.
this is one of the current SPDX License List inclusion principles.  There is a long history and sensible rationale for this, which I’m happy to fill you in on separately. 


The U.S. Government has an interest in promoting cybersecurity through supply chain assurance, which includes SBOMs for software that is out of scope for SPDX registration (e.g., software for which source code is not available). 
In the case that the US Government is using SPDX for its SBOM format, then there is already a way to document such licenses by way of section 10 

The U.S. Government has an interest in promoting efficient SCRM solutions.

Using different technical mechanisms to identify source-available licenses and other licenses is not efficient, and we strongly support the use of a single technical mechanism (a deconflicted unified license identifier list) for use in SBOM files.
I interpret this as meaning you support the concept of having a more “transferable” way to use LicenseRef- as per the original intent of the proposal - that is, a license defined using LicenseRef- is not “limited” to just being identified in that specific SPDX Document. Note, there is also already a way to capture license text for LicenseRef- licenses and link it - this is part of an earlier call and there is a task to improve the explanation of this in the spec because no one was really aware (see previous meeting notes about that)

(On a related note, we also support registration of a numeric identifier for each license identifier, as ISO 3166 (https://www.iso.org/obp/ui/#search) assigns both a number and a text ID to each country..  This is for use in efficient non-human-readable data formats such as Protobuf and CBOR.
The SPDX License List already provides a machine-readable (text) unique id to each license. Why is that not enough?

  referenceNumber is already populated in the license list database https://github.com/spdx/license-list-data/blob/master/json/licenses.json but is not visible in the web version.)

Regards,
David Kemp
NSA Cybersecurity Collaboration Center
https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/


License Identification

David Kemp <dk190a@...>
 

All,

I strongly support Gary's approach of identifying requirements first, then identifying and selecting from technical solutions that meet all requirements.

The requirements are:

* The SPDX legal team must:
  - define criteria for accepting licenses
  - evaluate licenses for conformance with the criteria
  - publish a list of licenses that meet the criteria

* The SPDX technical team must:
  - define SBOM data formats that unambiguously identify licenses applicable to all software of interest in the cybersecurity domain.

Today's discussion presupposes a technical solution, e.g., using namespaces, tying namespaces to DNS names, resolving IP issues related to licenses and namespaces, etc.  Other technical solutions that avoid namespaces are on the table and have not yet been discussed.

* Software licenses that apply only to executables and do not provide for the availability of the source code will not be included on the SPDX License List.

The U.S. Government has an interest in promoting cybersecurity through supply chain assurance, which includes SBOMs for software that is out of scope for SPDX registration (e.g., software for which source code is not available).  The U.S. Government has an interest in promoting efficient SCRM solutions.

Using different technical mechanisms to identify source-available licenses and other licenses is not efficient, and we strongly support the use of a single technical mechanism (a deconflicted unified license identifier list) for use in SBOM files.

(On a related note, we also support registration of a numeric identifier for each license identifier, as ISO 3166 (https://www.iso.org/obp/ui/#search) assigns both a number and a text ID to each country..  This is for use in efficient non-human-readable data formats such as Protobuf and CBOR.  referenceNumber is already populated in the license list database https://github.com/spdx/license-list-data/blob/master/json/licenses.json but is not visible in the web version.)

Regards,
David Kemp
NSA Cybersecurity Collaboration Center
https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/


Re: Reminder - meeting tomorrow on License Namespaces

J Lovejoy
 

I wanted to clarify Philippe’s comment on how the SPDX-legal team chooses ids (which is generally documented here: https://github.com/spdx/license-list-XML/blob/master/DOCS/license-fields.md ) as specific to the examples mentioned below:

(also note - this thread was cross-posted to the tech and legal mailing lists, but it looks like David (?) is not on the legal mailing list, so it then seems like all replies may only be going to the tech list. If there is a cross-functional topic, please be sure you are a member of the relevant mailing lists so responses don’t get sidetracked away from one list or another)

Re: Reminder - meeting tomorrow on License Namespaces
From: Philippe Ombredanne
Date: Wed, 15 Jun 2022 17:43:01 MDT


2) has the SPDX legal team agreed to not assign any SPDX IDs that case-insensitively match a current or future Scancode Key without matching license texts? (I hope so, otherwise migrating to qualified license IDs is unavoidable.)
Not that I know of, but that would be a fairly easy and super useful
thing alright.
As a practical conflict example, we have been tracking in ScanCode the
Arphic Public License with the "arphic-public" and SPDX
"LicenseRef-scancode-arphic-public". When this was eventually added to
SPDX in the license list 3.17 this May, the key picked by SPDX has
been instead: "Arphic-1999"

The way we resolve this in the ScanCode licensedb is to:
- use the new "Arphic-1999" as the SPDX license id
- move our now "old" "LicenseRef-scancode-arphic-public" to a list of
"other_spdx_license_keys" because our user and their tools may depend
on this.

FWIW, we have been tracking this "arphic-public" for at least seven
years since before ScanCode was called ScanCode. I am not claiming
precedence here, rather just stating the date since when we started
tracking these in ScanCode licensedb for reference. These licenses
likely have existed for a long while before.

The same also happened in that same SPDX license list release:
- SPDX picked "Baekmuk" over ScanCode's "baemuk-fonts" (in ScanCode
since before 2015)
- SPDX picked "Bitstream-Vera" over ScanCode's "bistream" (in ScanCode
since before 2015)
- SPDX picked "mplus" over ScanCode's "m-plus" (in ScanCode since 2019)

So if the SPDX process could kindly consider and reuse identifiers we
have already used in ScanCode that would be more than nice and surely
help diminish a possible source of confusion.
ALL of the examples referenced were licenses already recognized and used by Fedora on their list. SPDX adopted the ids already in use by Fedora. This is directly inline with the documented description of SPDX License List fields for short identifiers as per the link above. I would hope that we can all agree that we should adopt the id used by a long-standing community project.


FW: Minutes and follow-up from today's joint tech/legal call on namespaces

Gary O'Neall
 

Just a reminder, we will be continuing the License Namespace discussion this Friday (likely today by the time you get this email) at 15:00 UTC/8AM Pacific at the coordinates below:

 

https://meet.jit.si/SPDXLegalMeeting

Dial-in: +1.512.647.1431 PIN: 3275 0470 68#

 

 

Gary

 

From: Gary O'Neall <gary@...>
Sent: Friday, June 10, 2022 9:55 AM
To: 'SPDX Technical Mailing List' <Spdx-tech@...>; 'SPDX-legal' <Spdx-legal@...>
Subject: Minutes and follow-up from today's joint tech/legal call on namespaces

 

Greetings SPDX Tech and Legal teams,

 

Good discussion today, we were able to close on the problem statements and make progress on the next steps and namespace policies.

 

Minutes from today’s joint call are in this pull request: https://github.com/spdx/meetings/pull/188

 

Those of you on the call, please review and comment on anything we missed.

 

Here’s a link to a Google Doc we can use to collaborate on Lightweight and Heavyweight policy proposals (see the minutes for context and details): https://docs.google.com/document/d/1DU8oDW_DeGEkU8PQLdqp67HGwwTueCzjh02Y6OF1eQQ/edit?usp=sharing

 

The link has suggestion permissions – if you would like editor access, please email me.

 

We will have another follow-up call next Friday at the same time and coordinate:

 

Friday, 17 June 2022, 15:00 UTC, 8AM Pacific

 

https://meet.jit.si/SPDXLegalMeeting

Dial-in: +1.512.647.1431 PIN: 3275 0470 68#

 

We will continue the discussion on the Namespace policies and, if time, discuss the syntax and process for registering namespaces.

 

Thanks,
Gary

 

-------------------------------------------------

Gary O'Neall

Principal Consultant

Source Auditor Inc.

Mobile: 408.805.0586

Email: gary@...

CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.

 


Re: [spdx-tech] Reminder - meeting tomorrow on License Namespaces

Philippe Ombredanne
 

Dear David:

On Thu, Jun 16, 2022 at 6:57 AM David Kemp <dk190a@...> wrote:

Philippe,

I am not sure I read you correctly but if are you suggesting that
Dennis, other ScanCode contributors and I are "refusing to collaborate
on deconflicting local IDs" for SPDX license ids, that's quite the
opposite.

I did not think that, and I sincerely apologize for ineptly giving that impression. My intention was to thank Dennis for the opportunity to learn about ScanCode, and to express puzzlement that a namespacing approach was being considered.

I hope that processes and procedures for maintaining a coordinated license list can be worked out, and I'll try to avoid further interfering with that process.
You are not interfering at all... and I found your reply and insights
super useful. I do not know your background, but it is clear that you
have experience in this domain. So please do not stop!

--
Cordially
Philippe Ombredanne


Re: [spdx-tech] Reminder - meeting tomorrow on License Namespaces

Philippe Ombredanne
 

Hi David:

Thank you for your detailed feedback. See some comments inline below:

On Fri, Jun 10, 2022 at 10:47 AM Dennis Clark <dmclark@...> wrote:
Here is an example license list:

https://scancode-licensedb.aboutcode.org/
On Wed, Jun 15, 2022 at 12:16 AM David Kemp <dk190a@...> wrote:

Thanks Dennis. It appears that scancode has already done the administrative work to establish a unified (non-federated) license list.

Key Shortname SPDX ID
apache-2.0 Apache 2.0 Apache-2.0
apl-1.1 APL-1.1 LicenseRef-scancode-apl-1.1

Federated identity management is well-understood by users - nobody would mistakenly think that Dave99@... (or gmail:Dave99 using namespace:local notation) is the same person as Dave99@... (or outlook:Dave99). But switching to federated license IDs (spdx:Apache-2.0 and scancode:apl-1.1) doesn't sound like a user-friendly solution. The only thing that federation buys you is the ability to use colliding local IDs. But the cost is having to use qualified license IDs in order to avoid confusion and collisions. Is refusing to collaborate on deconflicting local IDs really worth that cost?
I am not sure I read you correctly but if are you suggesting that
Dennis, other ScanCode contributors and I are "refusing to collaborate
on deconflicting local IDs" for SPDX license ids, that's quite the
opposite.

For the record there are 530 licenses and exceptions in the SPDX
license list as of today (including obsolete ones). The latest
ScanCode license database (in git) has roughly 1300 **additional**
licenses that are not yet tracked in SPDX (1343 including deprecated).
We can contribute all these **today** to SPDX alright, but under the
current SPDX rules and staffing, it will take a very long while
(impossible to estimate) to have these reviewed and accepted; and they
may not be accepted at all based on current rules.

Questions:
1) has scancode assigned any Keys that case-insensitively match an SPDX ID but do not match license texts? (I assume not.)
No. We carefully ensure that there is no id conflict and have provided
and provide guarantees to our user community that ScanCode license
keys are aligned and do not conflict with SPDX license ids (ignoring
case) going as far as deprecating some of our license keys when new
SPDX assignments created a conflict (and these rare conflicts have
never been our making).

2) has the SPDX legal team agreed to not assign any SPDX IDs that case-insensitively match a current or future Scancode Key without matching license texts? (I hope so, otherwise migrating to qualified license IDs is unavoidable.)
Not that I know of, but that would be a fairly easy and super useful
thing alright.
As a practical conflict example, we have been tracking in ScanCode the
Arphic Public License with the "arphic-public" and SPDX
"LicenseRef-scancode-arphic-public". When this was eventually added to
SPDX in the license list 3.17 this May, the key picked by SPDX has
been instead: "Arphic-1999"

The way we resolve this in the ScanCode licensedb is to:
- use the new "Arphic-1999" as the SPDX license id
- move our now "old" "LicenseRef-scancode-arphic-public" to a list of
"other_spdx_license_keys" because our user and their tools may depend
on this.

FWIW, we have been tracking this "arphic-public" for at least seven
years since before ScanCode was called ScanCode. I am not claiming
precedence here, rather just stating the date since when we started
tracking these in ScanCode licensedb for reference. These licenses
likely have existed for a long while before.

The same also happened in that same SPDX license list release:
- SPDX picked "Baekmuk" over ScanCode's "baemuk-fonts" (in ScanCode
since before 2015)
- SPDX picked "Bitstream-Vera" over ScanCode's "bistream" (in ScanCode
since before 2015)
- SPDX picked "mplus" over ScanCode's "m-plus" (in ScanCode since 2019)

So if the SPDX process could kindly consider and reuse identifiers we
have already used in ScanCode that would be more than nice and surely
help diminish a possible source of confusion.

3) for additional license authorities (e.g., "acme") is the same first-come-first-served id deconfliction rule acceptable?
I cannot see nor fathom why not... ids are cheap! So this is 100%
fine. The only value of an "id" is to "identify" and be easy enough to
read and memorize for humans.

4) What problem are you trying to solve by not agreeing on a unified local ID list?
A unified list can always include a registration authority column to communicate different registration requirements. I don't understand the need for anything else.
You may be incorrectly assuming that Dennis, ScanCode and its
contributors are "not agreeing on a unified local ID list". Again
that's quite the opposite and speaking on behalf of this community, I
am 100% for a unified license ID list which will benefit everyone and
be a disservice to none.

Please tell me if this is a correct reformulation: you are suggesting
having a single, unified list of license identifiers maintained at
SPDX and assigned on a first-come-first-served basis. And with a
simple rule that no two ids conflict ignoring case and no two ids
point to the same text (say using SPDX matching guidelines).

If this is what you suggest, I couldn't agree more and I would support
this 100%. Weirdly enough I do not think that this has ever been
suggested before. Let's do it! This feels massively simpler and more
efficient than qualifying license ids with a namespace.
--
Cordially,
Philippe Ombredanne